Mozilla is adding some new runtime installation features to reduce the size of the mobile Firefox APK. Is this happening at all on desktop? It makes me nervous as the "default" config could very much more greatly, not to mention having a new centralized attack channel.
----- Original message ----- From: Sebastian Kaspari s.kaspari@gmail.com To: "mobile-firefox-dev" mobile-firefox-dev@mozilla.org Subject: Downloadable content: Fonts! Date: Fri, 19 Feb 2016 11:56:42 +0000
Good news, everyone!
Our first step to downloadable content has been enabled in Nightly: This means we now stopped to ship fonts[1] in the APK and instead download them at runtime (Bug 1194338 [2]).
With that we reduced the size of the APK by roughly 6.4% (~ 2.7MB) [3]. Without having the fonts downloaded (yet) our users can still browse websites but they may look less nice. And in fact, as things go, a bug caused just that to happen in Nightly (We don't download any fonts): bug 1249354 [4]. So if websites are currently looking a bit weird on Nightly then that's because of that. The bug should be resolved soon and after that let me know if you see any new weird issues related to (wrong) fonts. :)
Our plans for the future: * Right now we ship the list of fonts and the location to download with the application. We want to synchronize this catalog of content from a Kinto instance: https://bugzilla.mozilla.org/show_bug.cgi?id=1201059 * We want to download hyphenation dictionaries at runtime too: https://bugzilla.mozilla.org/show_bug.cgi?id=1095719 * Eventually we might even want to download (some) localization files at runtime: https://bugzilla.mozilla.org/show_bug.cgi?id=945123
Best, Sebastian
[1] https://www.youtube.com/watch?v=6J2rrFiN1Jw [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1194338 [3] https://twitter.com/Anti_Hype/status/699905577196134400 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1249354 _______________________________________________ mobile-firefox-dev mailing list mobile-firefox-dev@mozilla.org https://mail.mozilla.org/listinfo/mobile-firefox-dev
On 2/19/16, Nathan Freitas nathan@freitas.net wrote:
Mozilla is adding some new runtime installation features to reduce the size of the mobile Firefox APK. Is this happening at all on desktop? It makes me nervous as the "default" config could very much more greatly, not to mention having a new centralized attack channel.
Maybe not so new an attack channel. Have you seen https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html "Since Mozilla Firefox versions 11-42 directly support Graphite, the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server "
https://blog.torproject.org/blog/tor-browser-552-released Users on the security level "High" or "Medium-High" were not affected by the bugs in the Graphite font rendering library.
Regards, Lee
----- Original message ----- From: Sebastian Kaspari s.kaspari@gmail.com To: "mobile-firefox-dev" mobile-firefox-dev@mozilla.org Subject: Downloadable content: Fonts! Date: Fri, 19 Feb 2016 11:56:42 +0000
Good news, everyone!
Our first step to downloadable content has been enabled in Nightly: This means we now stopped to ship fonts[1] in the APK and instead download them at runtime (Bug 1194338 [2]).
With that we reduced the size of the APK by roughly 6.4% (~ 2.7MB) [3]. Without having the fonts downloaded (yet) our users can still browse websites but they may look less nice. And in fact, as things go, a bug caused just that to happen in Nightly (We don't download any fonts): bug 1249354 [4]. So if websites are currently looking a bit weird on Nightly then that's because of that. The bug should be resolved soon and after that let me know if you see any new weird issues related to (wrong) fonts. :)
Our plans for the future:
- Right now we ship the list of fonts and the location to download with
the application. We want to synchronize this catalog of content from a Kinto instance: https://bugzilla.mozilla.org/show_bug.cgi?id=1201059
- We want to download hyphenation dictionaries at runtime too:
https://bugzilla.mozilla.org/show_bug.cgi?id=1095719
- Eventually we might even want to download (some) localization files at
runtime: https://bugzilla.mozilla.org/show_bug.cgi?id=945123
Best, Sebastian
[1] https://www.youtube.com/watch?v=6J2rrFiN1Jw [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1194338 [3] https://twitter.com/Anti_Hype/status/699905577196134400 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1249354 _______________________________________________ mobile-firefox-dev mailing list mobile-firefox-dev@mozilla.org https://mail.mozilla.org/listinfo/mobile-firefox-dev _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On 19/02/16 16:21, Spencer wrote:
Hi,
Nathan Freitas: Mozilla
At what point do the efforts to patch Firefox out weigh the efforts to build a browser from scratch?
Wordlife, Spencer
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Or at the very least base of something else? I don't think TBB is quite at that point *just* yet from what I've observed, though it must be frustrating having to deal with Mozilla constantly throwing the kitchen sink at the browser.
On Fri, 2016-02-19 at 16:21 +0000, Spencer wrote:
At what point do the efforts to patch Firefox out weigh the efforts to build a browser from scratch?
Browsers are extremely complicated.
If you want to explore Mozilla's efforts to build a more modern browser, then I suggest you look over and build Servo:
https://github.com/servo/servo https://github.com/servo/servo/wiki/Design https://servo.org/
It's cool to imagine free software and privacy communities turning Servo into a viable browser that caters to their interests. Afaik, Servo is the only realistic option for minimizing C code in the browser too. In reality, Servo fails to render much of the web correctly because it's a messy problem.
Jeff
I think this strays a bit far afield from tor-dev, but..
If an academic group was interested in basically redesigning the web to be more sane, then Servo might be a good place to start.
There are a whole bunch of things one could do, like forcing much more to be catchable by using content based addressing, restrict cross site/origin communication to be with single use blind signed tokens and/or involve user approval, restrict the role of javascript, embed a better PKI, etc. All the stuff that TBB cannot do because it'd break to many sites.
In short, one could attempt to build a better freenet using grants for "security" work. And the long game would be to guilt the browser makers and web standards people into tightening things up.
On Fri, 2016-02-19 at 20:57 +0100, Jeff Burdges wrote:
On Fri, 2016-02-19 at 16:21 +0000, Spencer wrote:
At what point do the efforts to patch Firefox out weigh the efforts to build a browser from scratch?
Browsers are extremely complicated.
If you want to explore Mozilla's efforts to build a more modern browser, then I suggest you look over and build Servo:
https://github.com/servo/servo https://github.com/servo/servo/wiki/Design https://servo.org/
It's cool to imagine free software and privacy communities turning Servo into a viable browser that caters to their interests. Afaik, Servo is the only realistic option for minimizing C code in the browser too. In reality, Servo fails to render much of the web correctly because it's a messy problem.
Jeff
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev